Basic example

This example demonstrates basic HEC usage. It includes the Splunk server address including port and endpoint, the authentication token, and event data and metadata formatted according to the HEC event data format specification.

Raw example with batching

This example shows how to send raw, batched events to HEC. In this case, we're sending splunkd access logs. We've indicated that the indexer should assign these events the sourcetype of splunkd_access, and specified that they should be indexed by main.

Indexer acknowledgement example

This example demonstrates how to send events to HEC with indexer acknowledgement enabled. Note that the sole difference between this example and the basic example is the inclusion of a channel identifier. Indexer acknowledgement also works with raw data.

Check acknowledgement status example

This example demonstrates how to check the indexing status of a prior HEC request. Note that we're sending the request to the ack endpoint, and we're including "acks" key, which is set equal to the three acknowledgement identifiers (ackIDs) whose status we want to know.

Basic authentication example

This example demonstrates basic authentication, which is an alternative to the HTTP Authentication that has been demonstrated in all of the previous examples. To use basic auth, place a colon-separated user/password pair in the request after -u as shown here, inserting the token as the <password> and any string (we've used x) as the <user>: "<user>:<password>".

Questions?

Doc feedback?

If you have feedback about the documentation, we're all ears. Email us at devfeedback@splunk.com and let us know how we're doing.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »